The RUCKUS ICX Multicast Source Discovery Protocol router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273576 | RCKS-RTR-000080 | SV-273576r1110885_rule | CCI-001368 | low |
| Description | ||||
| To avoid global visibility of local information, there are a number of source-group (S, G) states in a PIM-SM domain that must not be leaked to another domain, such as multicast sources with private address, administratively scoped multicast addresses, and the auto-RP groups (224.0.1.39 and 224.0.1.40). Allowing a multicast distribution tree, local to the core, to extend beyond its boundary could enable local multicast traffic to leak into other autonomous systems and customer networks. | ||||
| STIG | Date | |||
| RUCKUS ICX Router Security Technical Implementation Guide | 2025-06-03 | |||
Details
Check Text (C-273576r1110885_chk)
Check for SA filter on MSDP peer:
ICX# show msdp peer x.x.x.x | include Output
Output SA Filter:Applicable
Output (S,G) route-map:out_MSDP_SA_filter
Output RP route-map:None
If any configured MSDP peer is not configured to filter outbound advertisements to avoid local-only multicast sources and groups, this is a finding.
Fix Text (F-77572r1109749_fix)
Create access list to filter source-active multicast advertisements for any undesirable multicast groups and sources:
ip access-list extended out_MSDP_SA_filter
sequence 10 deny ip 10.0.0.0/8 any
sequence 20 permit ip any any
route-map out_MSDP_SA_filter permit 10
match ip address out_MSDP_SA_filter
router msdp
msdp-peer x.x.x.x
sa-filter originate route-map out_MSDP_SA_filter
!